* Subject: Memory Leak vulnerability in reftable/readwrite_test.c @ 2025-03-01 6:07 H Z 2025-03-01 6:10 ` H Z 2025-03-01 11:31 ` René Scharfe 0 siblings, 2 replies; 7+ messages in thread From: H Z @ 2025-03-01 6:07 UTC (permalink / raw) To: git Hi, I have found a potential memory leak bug in reftable/readwrite_test.c and would like to report it to the maintainers. Can you please help me to check it? Thank you for your effort and patience! Below is the execution sequence of the program that may produce the bug. First, in file src/wrapper.c, function xstrdup allocates memory at line 40 and returns at line 43. Second, in the file reftable/reader.c, the function init_reader calls the function xstrdup on line 202 to allocate memory for r->name, which is the formal parameter of the function init_reader. Third, in file reftable/readwrite_test.c, function test_corrupt_table_empty calls function init_reader on line 935 with &rd passed as the first argument, causing rd->name to be allocated memory. rd->name is not freed, which would cause the memory leak vulnerability. Thank you very much for reading and I look forward to hearing from you! ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Subject: Memory Leak vulnerability in reftable/readwrite_test.c 2025-03-01 6:07 Subject: Memory Leak vulnerability in reftable/readwrite_test.c H Z @ 2025-03-01 6:10 ` H Z 2025-03-01 11:31 ` René Scharfe 1 sibling, 0 replies; 7+ messages in thread From: H Z @ 2025-03-01 6:10 UTC (permalink / raw) To: git [-- Attachment #1: Type: text/plain, Size: 1148 bytes --] Also, here's the code path that leads to that memory leak vulnerability, which I've represented with an image. H Z <shiyuyuranzh@gmail.com> 于2025年3月1日周六 14:07写道: > > Hi, I have found a potential memory leak bug in > reftable/readwrite_test.c and would like to report it to the > maintainers. Can you please help me to check it? Thank you for your > effort and patience! > > Below is the execution sequence of the program that may produce the bug. > > First, in file src/wrapper.c, function xstrdup allocates memory at > line 40 and returns at line 43. > Second, in the file reftable/reader.c, the function init_reader calls > the function xstrdup on line 202 to allocate memory for r->name, which > is the formal parameter of the function init_reader. > Third, in file reftable/readwrite_test.c, function > test_corrupt_table_empty calls function init_reader on line 935 with > &rd passed as the first argument, causing rd->name to be allocated > memory. rd->name is not freed, which would cause the memory leak > vulnerability. > > Thank you very much for reading and I look forward to hearing from you! [-- Attachment #2: image.png --] [-- Type: image/png, Size: 193692 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Subject: Memory Leak vulnerability in reftable/readwrite_test.c 2025-03-01 6:07 Subject: Memory Leak vulnerability in reftable/readwrite_test.c H Z 2025-03-01 6:10 ` H Z @ 2025-03-01 11:31 ` René Scharfe 2025-03-01 11:34 ` H Z 2025-03-04 6:33 ` Jeff King 1 sibling, 2 replies; 7+ messages in thread From: René Scharfe @ 2025-03-01 11:31 UTC (permalink / raw) To: H Z, git; +Cc: Patrick Steinhardt Am 01.03.25 um 07:07 schrieb H Z: > Hi, I have found a potential memory leak bug in > reftable/readwrite_test.c and would like to report it to the > maintainers. Can you please help me to check it? Thank you for your > effort and patience! I wouldn't call it a vulnerability if it just affects test code, as it is not executed by git (the executable run by end users). We still want to fix those, however. > Below is the execution sequence of the program that may produce the bug. > > First, in file src/wrapper.c, function xstrdup allocates memory at > line 40 and returns at line 43. > Second, in the file reftable/reader.c, the function init_reader calls > the function xstrdup on line 202 to allocate memory for r->name, which > is the formal parameter of the function init_reader. Not exactly true since 12b9078066 (reftable: handle trivial allocation failures, 2024-10-02); the allocation is done by reftable_strdup() now. And 2de3c0d345 (reftable/reader: inline `init_reader()`, 2024-08-23) got rid of init_reader(). > Third, in file reftable/readwrite_test.c, function > test_corrupt_table_empty calls function init_reader on line 935 with > &rd passed as the first argument, causing rd->name to be allocated > memory. rd->name is not freed, which would cause the memory leak > vulnerability. This test was moved to t/unit-tests/t-reftable-readwrite.c by 5b539a5361 (t: move reftable/readwrite_test.c to the unit testing framework, 2024-08-13). t_corrupt_table_empty() calls reftable_reader_new() and returns REFTABLE_FORMAT_ERROR before it reaches the reftable_strdup() call, so there is no leak in this test (anymore?). reftable_reader_new() would leak name if its block_source_read_block() or parse_footer() calls failed, though. We could do the name allocation only after those calls to avoid that, but that may complicate matters. Alternative patch below. Also its comment in reftable/reftable-reader.h mentions that reftable_reader_destroy() needs to be called after use, but that function has never existed. Odd. René --- >8 --- Subject: [PATCH] reftable: release name on reftable_reader_new() error If block_source_read_block() or parse_footer() fail, we leak the "name" member of struct reftable_reader in reftable_reader_new(). Release it. Reported by: H Z <shiyuyuranzh@gmail.com> Signed-off-by: René Scharfe <l.s.r@web.de> --- reftable/reader.c | 1 + 1 file changed, 1 insertion(+) diff --git a/reftable/reader.c b/reftable/reader.c index 3f2e4b2800..f38c83f140 100644 --- a/reftable/reader.c +++ b/reftable/reader.c @@ -666,6 +666,7 @@ int reftable_reader_new(struct reftable_reader **out, reftable_block_done(&footer); reftable_block_done(&header); if (err) { + reftable_free(r->name); reftable_free(r); block_source_close(source); } -- 2.48.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: Subject: Memory Leak vulnerability in reftable/readwrite_test.c 2025-03-01 11:31 ` René Scharfe @ 2025-03-01 11:34 ` H Z 2025-03-04 6:33 ` Jeff King 1 sibling, 0 replies; 7+ messages in thread From: H Z @ 2025-03-01 11:34 UTC (permalink / raw) To: René Scharfe; +Cc: git, Patrick Steinhardt Thank you very much for your reply. René Scharfe <l.s.r@web.de> 于2025年3月1日周六 19:31写道: > > Am 01.03.25 um 07:07 schrieb H Z: > > Hi, I have found a potential memory leak bug in > > reftable/readwrite_test.c and would like to report it to the > > maintainers. Can you please help me to check it? Thank you for your > > effort and patience! > > I wouldn't call it a vulnerability if it just affects test code, as it > is not executed by git (the executable run by end users). We still want > to fix those, however. > > > Below is the execution sequence of the program that may produce the bug. > > > > First, in file src/wrapper.c, function xstrdup allocates memory at > > line 40 and returns at line 43. > > Second, in the file reftable/reader.c, the function init_reader calls > > the function xstrdup on line 202 to allocate memory for r->name, which > > is the formal parameter of the function init_reader. > > Not exactly true since 12b9078066 (reftable: handle trivial allocation > failures, 2024-10-02); the allocation is done by reftable_strdup() now. > And 2de3c0d345 (reftable/reader: inline `init_reader()`, 2024-08-23) > got rid of init_reader(). > > > Third, in file reftable/readwrite_test.c, function > > test_corrupt_table_empty calls function init_reader on line 935 with > > &rd passed as the first argument, causing rd->name to be allocated > > memory. rd->name is not freed, which would cause the memory leak > > vulnerability. > > This test was moved to t/unit-tests/t-reftable-readwrite.c by 5b539a5361 > (t: move reftable/readwrite_test.c to the unit testing framework, > 2024-08-13). > > t_corrupt_table_empty() calls reftable_reader_new() and returns > REFTABLE_FORMAT_ERROR before it reaches the reftable_strdup() call, so > there is no leak in this test (anymore?). > > reftable_reader_new() would leak name if its block_source_read_block() > or parse_footer() calls failed, though. We could do the name > allocation only after those calls to avoid that, but that may > complicate matters. Alternative patch below. > > Also its comment in reftable/reftable-reader.h mentions that > reftable_reader_destroy() needs to be called after use, but that > function has never existed. Odd. > > René > > > --- >8 --- > Subject: [PATCH] reftable: release name on reftable_reader_new() error > > If block_source_read_block() or parse_footer() fail, we leak the "name" > member of struct reftable_reader in reftable_reader_new(). Release it. > > Reported by: H Z <shiyuyuranzh@gmail.com> > Signed-off-by: René Scharfe <l.s.r@web.de> > --- > reftable/reader.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/reftable/reader.c b/reftable/reader.c > index 3f2e4b2800..f38c83f140 100644 > --- a/reftable/reader.c > +++ b/reftable/reader.c > @@ -666,6 +666,7 @@ int reftable_reader_new(struct reftable_reader **out, > reftable_block_done(&footer); > reftable_block_done(&header); > if (err) { > + reftable_free(r->name); > reftable_free(r); > block_source_close(source); > } > -- > 2.48.1 > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Subject: Memory Leak vulnerability in reftable/readwrite_test.c 2025-03-01 11:31 ` René Scharfe 2025-03-01 11:34 ` H Z @ 2025-03-04 6:33 ` Jeff King 2025-03-04 7:39 ` H Z 2025-03-04 16:11 ` [PATCH v2] reftable: release name on reftable_reader_new() error René Scharfe 1 sibling, 2 replies; 7+ messages in thread From: Jeff King @ 2025-03-04 6:33 UTC (permalink / raw) To: René Scharfe; +Cc: Junio C Hamano, H Z, git, Patrick Steinhardt On Sat, Mar 01, 2025 at 12:31:33PM +0100, René Scharfe wrote: > --- >8 --- > Subject: [PATCH] reftable: release name on reftable_reader_new() error > > If block_source_read_block() or parse_footer() fail, we leak the "name" > member of struct reftable_reader in reftable_reader_new(). Release it. > > Reported by: H Z <shiyuyuranzh@gmail.com> > Signed-off-by: René Scharfe <l.s.r@web.de> > --- > reftable/reader.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/reftable/reader.c b/reftable/reader.c > index 3f2e4b2800..f38c83f140 100644 > --- a/reftable/reader.c > +++ b/reftable/reader.c > @@ -666,6 +666,7 @@ int reftable_reader_new(struct reftable_reader **out, > reftable_block_done(&footer); > reftable_block_done(&header); > if (err) { > + reftable_free(r->name); > reftable_free(r); > block_source_close(source); > } Coverity complains that "r" might be NULL here. At the top of the function we do: REFTABLE_CALLOC_ARRAY(r, 1); if (!r) { err = REFTABLE_OUT_OF_MEMORY_ERROR; goto done; } and then the done label hits your new line (the "done:" is right above the context in your patch). And err of course is non-zero. So this probably needs an "if (r)", or multiple layered out-labels. Or alternatively we could return directly when the first allocation fails, since there is nothing to clean up at that point. -Peff ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Subject: Memory Leak vulnerability in reftable/readwrite_test.c 2025-03-04 6:33 ` Jeff King @ 2025-03-04 7:39 ` H Z 2025-03-04 16:11 ` [PATCH v2] reftable: release name on reftable_reader_new() error René Scharfe 1 sibling, 0 replies; 7+ messages in thread From: H Z @ 2025-03-04 7:39 UTC (permalink / raw) To: Jeff King; +Cc: René Scharfe, Junio C Hamano, git, Patrick Steinhardt Very nice fix, thanks again for doing it! Jeff King <peff@peff.net> 于2025年3月4日周二 14:33写道: > > On Sat, Mar 01, 2025 at 12:31:33PM +0100, René Scharfe wrote: > > > --- >8 --- > > Subject: [PATCH] reftable: release name on reftable_reader_new() error > > > > If block_source_read_block() or parse_footer() fail, we leak the "name" > > member of struct reftable_reader in reftable_reader_new(). Release it. > > > > Reported by: H Z <shiyuyuranzh@gmail.com> > > Signed-off-by: René Scharfe <l.s.r@web.de> > > --- > > reftable/reader.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/reftable/reader.c b/reftable/reader.c > > index 3f2e4b2800..f38c83f140 100644 > > --- a/reftable/reader.c > > +++ b/reftable/reader.c > > @@ -666,6 +666,7 @@ int reftable_reader_new(struct reftable_reader **out, > > reftable_block_done(&footer); > > reftable_block_done(&header); > > if (err) { > > + reftable_free(r->name); > > reftable_free(r); > > block_source_close(source); > > } > > Coverity complains that "r" might be NULL here. At the top of the > function we do: > > REFTABLE_CALLOC_ARRAY(r, 1); > if (!r) { > err = REFTABLE_OUT_OF_MEMORY_ERROR; > goto done; > } > > and then the done label hits your new line (the "done:" is right above > the context in your patch). And err of course is non-zero. > > So this probably needs an "if (r)", or multiple layered out-labels. Or > alternatively we could return directly when the first allocation fails, > since there is nothing to clean up at that point. > > -Peff ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2] reftable: release name on reftable_reader_new() error 2025-03-04 6:33 ` Jeff King 2025-03-04 7:39 ` H Z @ 2025-03-04 16:11 ` René Scharfe 1 sibling, 0 replies; 7+ messages in thread From: René Scharfe @ 2025-03-04 16:11 UTC (permalink / raw) To: Jeff King; +Cc: Junio C Hamano, H Z, Patrick Steinhardt, git If block_source_read_block() or parse_footer() fail, we leak the "name" member of struct reftable_reader in reftable_reader_new(). Release it. Reported by: H Z <shiyuyuranzh@gmail.com> Helped-by: Jeff King <peff@peff.net> Signed-off-by: René Scharfe <l.s.r@web.de> --- Change since v1: Avoid NULL pointer dereference. Thank you, Peff! reftable/reader.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/reftable/reader.c b/reftable/reader.c index 3f2e4b2800..24bae50ac2 100644 --- a/reftable/reader.c +++ b/reftable/reader.c @@ -666,6 +666,8 @@ int reftable_reader_new(struct reftable_reader **out, reftable_block_done(&footer); reftable_block_done(&header); if (err) { + if (r) + reftable_free(r->name); reftable_free(r); block_source_close(source); } -- 2.48.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-03-04 16:12 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-03-01 6:07 Subject: Memory Leak vulnerability in reftable/readwrite_test.c H Z 2025-03-01 6:10 ` H Z 2025-03-01 11:31 ` René Scharfe 2025-03-01 11:34 ` H Z 2025-03-04 6:33 ` Jeff King 2025-03-04 7:39 ` H Z 2025-03-04 16:11 ` [PATCH v2] reftable: release name on reftable_reader_new() error René Scharfe
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).
![[-- Attachment #2: image.png --] [-- Type: image/png, Size: 193692 bytes --]](../../CAAJd+fbNhGa5Pe4x-_rbwXVoye9uBD45zoJtu7riiW7GfnU1Cg@mail.gmail.com/2-image.png){kind=link}